Logging and reviewing user traffic that bypass OpenDNS

[bunty]

Hello All:
I am fairly new to networking, so pardon my ignorance.
I have ASUS RT N66U with merlin firmware. I am using OpenDNS and its setup to route all DNS queries through router using information provided at: https://github.com/RMerl/asuswrt-merlin/wiki/Iptables-tips.
Is it possible to log and/or review all user requests (particularly port 80 and 443 requests) through the router? I am particularly interested in reviewing all calls using IP address that bypass OpenDNS.
Other related question is if it’s possible to block all requests/URLs that are not possible with DNS. Though this is not ideal, I would like to know if it’s possible.
Thanks for the help.
Bunty

 

[Cloud200]

Is it possible to log and/or review all user requests (particularly port 80 and 443 requests) through the router? I am particularly interested in reviewing all calls using IP address that bypass OpenDNS.

The only way I know of to do this with the Merlin firmware (or practically every firmware out there but Tomato), is to use a syslog parser like WallWatcher. I honestly don't know if wallwatcher will still work with the Merlin firmware but there is always a chance Merlin may pop in and give us a Yay/Nay on it.

Other related question is if it’s possible to block all requests/URLs that are not possible with DNS. Though this is not ideal, I would like to know if it’s possible.
Thanks for the help.
Bunty

Not really sure what this question is.
If you block port 53 in the firewall, then the only way clients could get a DNS request is via the router itself.

Why would it be needed though if you already have redirected lookups?

 

[RMerlin]

If your goal is to control DNS access, take a look at DNSFilter. It pretty much superscedes the Wiki article you used by making it easily configurable through a webui.

As for logging, once everything is forced through OpenDNS, I believe they offer a service that gives you control/logging of DNS queries.

 

[Grump]

edit: I reread your question. You want to know what's addressing the internet by IP only, that hasn't used DNS, and block that. ie. http://74.125.226.146

You can log http traffic with tcpdump. Install it from entware or optware.

tcpdump -s0 -A -i any port 80 or 443
tcpdump -s0 -i any port 80 or 443 -w filename.pcap

You can change -i any for the vpn interface. I think -i ppp0 (check with ifconfig). -i any may "duplicate" the viewed traffic.

But this won't tell you what bypassed DNS without careful inspection.
If you -w write it to a file, you can inspect the traffic in wireshark on a PC. Look for GET requests that are to IP only. Inspecting SSL traffic won't work, so watching port 443 won't help. Inspecting for a lack of DNS responses containing an IP that used 443 would be painful, but isn't impossible per se.

I don't know of a nice clean automated way to do this for port 80 traffic (+not being resource intensive). It's deep packet inspection.

 

[bunty]

Thank you all for the reply. I will checkout wallwatcher to see if it help me interpret the ASUS General sys log file.

Grump - you are correct. I am looking for calls made using ip on port 443. This is mainly to detect VPN connections using IP on port 443 (or 80). If we narrow down to only VPN connections on port 443 or 80, does it make it easier to log and monitor?

I am not familiar with entware or optware, will look into it more.

RMerlin - if a client is opening a VPN connection with IP address, does that still goes to OpenDNS? Also, I am using the free version of OpenDNS, it does not give me log of every calls made. Its more summary information. Do you know if the paid version logging and reporting is any better? Appreciate your response.

Regards,

Bunty

 

[RMerlin]

RMerlin - if a client is opening a VPN connection with IP address, does that still goes to OpenDNS?

It will probably still use OpenDNS, but I never tested it. Test it using OpenDNS's test page.

Also, I am using the free version of OpenDNS, it does not give me log of every calls made. Its more summary information. Do you know if the paid version logging and reporting is any better? Appreciate your response.

No idea, I don't use OpenDNS.

 

[ivanhoek]

Hello All:
I am fairly new to networking, so pardon my ignorance.
I have ASUS RT N66U with merlin firmware. I am using OpenDNS and its setup to route all DNS queries through router using information provided at: https://github.com/RMerl/asuswrt-merlin/wiki/Iptables-tips.
Is it possible to log and/or review all user requests (particularly port 80 and 443 requests) through the router? I am particularly interested in reviewing all calls using IP address that bypass OpenDNS.
Other related question is if it’s possible to block all requests/URLs that are not possible with DNS. Though this is not ideal, I would like to know if it’s possible.
Thanks for the help.
Bunty

This is possible, but it would likely require additional equipment. You need a proxy server. One way would be to have your own DNS resolver that simply returns your proxy server IP for all DNS queries. On your router, you could block all outbound DNS and all outbound HTTP and HTTPS from the LAN. You can configure rules that block such requests AND log all drops, so you can see a log of all bypass attempts.

Your proxy server won't support VPN's, except those made specifically to carry over HTTP/HTTPS, but some proxy servers have abilities to detect and break proxy chaining.

A problem you'd need to resolve is HTTPS. Since your proxy server's SSL certificate won't match the common name for all websites, users would see a warning from their browser and therefore KNOW you're doing a MITM. One way to resolve would be to have your own internal certificate authority, install a certificate from that CA into your proxy server and then install the trusted root into all clients. Clients would then trust that certificate and not throw a warning. A user that checks certificates would still be able to tell, though.

In summary, you'd need a CA, DNS server, and a Proxy server.. in addition to your router. I think DD-WRT and Merlin can do some of these, but you might be better served looking into separates, or maybe a more powerful device such as an X86 box running something like Pfsense or Untangle.

EDIT: Of course, your Proxy server would be configured to use OpenDNS as its resolver, so all clients implicitly use OpenDNS. You would make an exception for your Proxy server to be able to query OpenDNS in your firewall ruleset.

 

[connorm]

all i have to say is looking at everyones DNS requests is beyond creepy

 

[bunty]

Setting up entware and tcpdump on ASUS RT-N66U

Hello Grump:

I have been look at your suggestions. I would appreciate if you (or others) can help confirm and answer a few follow-up questions.

Here what I found I need to do to install entware and tcpdump

plug in USB storage with one or more ext2/ext3-formatted partition
entware-setup.sh (pick the partition)
cd /opt
opkg list
opkg install tcpdump
tcpdump -s0 -i ppp0 port 80 or 443 —C 100 -W 10 -w logfile.pcap

Does the above look right?

My first question is since I changed by directory (cd /opt), does that mean that the log file will be created on the USB disk?

Second question is will tcpdump continue to run even if I quit my telnet/SSH session?

Also related to the second question, if its possible for tcpdump to continue running, how do I stop it?

Fourth question, do you know the best way to reformat a standard NTFS formatted USB 3.0 hard drive to ext2 or ext3 format? Also, which format to pick ext2 or ext3?

Finally, what is the best way to transfer the log files from the USB drive to PC/MAC running wireshark?

Like I noted, I am very new to networking and just want to make sure I have enough understanding before I start making changes to my router.

Appreciate the help.

Regards,

Bunty

 

[Grump]

1. -w filename.pcap will write to whatever directory you're in. You can change it to -w /some/path/like/usb0/filename.pcap if you want

2. No. But you can add & to the end of a command to run in the background

3. "killall tcpdump" works. Or "ps | grep tcpdump" then kill the PID (the first number displayed). ie. "kill 1234"

4. Nope, google it.

5. I run linux and just scp it over. "scp admin@myrouter:/path/to/file /local/path/file" ... You'll have to figure it out. Either move the USB disk over, or setup FTP, something along those lines.

 

[bunty]

Setting up entware and tcpdump on ASUS RT-N66U

Happy to report that I was able to successfully install entware and tcpdump on an external hard drive (ext3 format). With ASUS's built in network place share /cloud disk, its easy to access the external drive and it's contents from any machine within the network.